In the United States, there have been a number of important rulings by the Supreme Court which are disturbing in and of themselves. But there are additional concerns due to the political climate - in some states more than others. While I could give you advice on what I think you should do politically, I am not going to lie - professional politics and how to make positive and long-lasting changes to undo recent events is not an area I am an expert in. So I’ve decided to focus on an area I have more direct experience with - Modern-day digital tracking.

I’ll cover some recommendations on software as well as hardware, and I will try to gear this towards non-technical people as much as I can, although I will try to include some technical depth here and there to both appease the more technically minded and those wanting a deeper understanding.

Don’t take my word on anything! Yes, I do recommend deleting your period-tracking app and simply using a calendar, but this is a blog post and not a book, so research into some of these topics may uncover information that seemed unimportant to me but is important to you. I’d recommend searching the Internet for any and all information you can get. However when you do that, avoid using Google and consider something more privacy oriented, such as DuckDuckGo.

One further note - I am not saying you have to do any of this as I am going a bit overboard in my recommendations, but I do know that there are people that will feel better if they have a bit more control during a time when things seem out of control. Just feeling prepared might help you mentally prepare for whatever may lie ahead, whether this gets better or worse in the coming months and years.

Related Background

As a hacker who has been investigated by more than one U.S. Government agency, targeted by foreign governments for helping out dissidents, and is in general a rather privacy-oriented paranoid type, there are some things I’ve picked up along the way.

Also note I’ve conducted research projects where I’ve examined hardware and software, as well as dealt with OPSEC issues for government contractors, government adversaries, human rights workers, and investigative reporters. So I’ll be covering a number of areas in this blog post.

The Main Point

As we use tech, it leaves a digital footprint of sorts. While some apps claim they do not use your name or email address, they can still collect enough data that can uniquely identify your device. When collected and organized by data brokers (BTW highly recommend the video in that link!) it can most definitely pinpoint who you are, what you’ve looked for on the Internet, where you live, and (thanks to your phone) where you go and when.

We’ll cover a few ways one can be compromised by such technology, and we’ll cover some strategies you might want to apply.

Web Browser

Various articles and full-blown presentations at security conferences on browsers and their impact on privacy and security have been done, so I’ll be brief. If you’re really serious about privacy, consider Brave or Firefox on the browser list, but you’re going to need to tweak a lot of settings and add some browser extensions like Ghostery, Adblock Plus, and uBlock Origin. These will help block those pesky cookies and bits of invasive JavaScript that are used.

Email

Most people use a free email service such as Gmail or Outlook. Don’t. They are run by large companies that are in the money-making business, not the privacy business. There are a few privacy-oriented email services such as ProtonMail which is based in Switzerland and is extremely privacy-focused. For the nerd types, I can also recommend running your own mail server, but you really will need to be a glutton for self-punishment.

If you feel that you simply cannot unleash yourself from something like Gmail, then at least consider using ProtonMail for extremely sensitive communications and manage two accounts. Leave Gmail for all of those goofy websites, but for anything you really wish to remain private, use ProtonMail. And if you can, insist on the recipient using a ProtonMail account as well.

A further note on email - there are additional settings you can adjust such as not rendering HTML in email (e.g. “display images”) as those pretty pictures are often downloaded from a website that now knows where you are and what kind of device you’re reading your email on, in addition to knowing you looked at the email.

Messaging

Use Signal. That’s it. Normal text messages, social media messaging, and a number of other dedicated apps give a sense of privacy to one degree or another, but every privacy freak I know uses Signal. You can set conversations to expire (i.e. auto-delete) and I recommend you do so, in case someone gets access to your phone when it is unlocked.

Phones

I’ve done a fair number of research projects on this topic. While I recommend watching a presentation I did on phones, it is geared toward nerds, so here’s a quick summary.

• All phones have five radios - GPS, cellular, WiFi, Bluetooth, and NFC. GPS is receive only, while the other radios can transmit as well as receive. The four that can transmit can allow for remote tracking as they carry information unique to the phone. The easiest types of tracking are WiFi and Bluetooth, which happen to be the easiest to turn off.

• Most phone apps use the cloud to store, share, and process data. Many accounts used by these apps also allow for access via a web browser, so they both use web-based protocols for moving data between them. Apps are typically no more than highly-specialized web browsers with one important distinction - they do not have all of the privacy settings that web browsers have.

• I’ve mainly looked at business apps, and while some of them are fine, roughly half have security flaws or are uploading unnecessary personal data about either my phone or myself. Yes, there are some phone settings that can minimize this but if you have the choice, access sensitive information from the web browser and delete the app.

Other Devices

There are other devices out there that can be tracked via some of the same techniques used to track phone radios. If a device uses Bluetooth or WiFi to talk to another device, it can potentially be tracked. Personal protection devices, fitness trackers, and most smart watches can all be tracked. A WiFi “hot spot” can be tracked.

Modern vehicles offer Bluetooth connectivity for hands-free phone usage and music streaming. Many newer vehicles even offer WiFi services (via something like Onstar) to support multiple devices within your car.

Scanners

The two main scanner techniques I’ve personally dealt with are WiFi and Bluetooth scanners. It’s not illegal to listen to radio transmissions, and there are numerous phone and laptop apps that allow anyone to collect this data. While most web traffic (and a decent amount of Bluetooth traffic) is encrypted, the main point here is that these transmissions use unique identifiers commonly referred to by nerd types as MAC addresses (Media Access Control addresses) to allow the traffic to communicate. The scanners look for WiFi and Bluetooth devices that are broadcasting their presence, and in that “advertising” process, they reveal their unique MAC address.

Modern phones and smart watches do have randomization of MAC addresses, but traditional WiFi does not. This includes most personal devices such as fitness trackers, your car’s WiFi, and WiFi hot spots.

I’ve done some playing around with SDR (Software-Defined Radio) but not enough to be an expert at it, so let’s just say if your various devices use any radio signal transmission at all, they can be picked up.

Do governments do this type of tracking? Yes. Your city or state government might be using scanners for monitoring traffic flow by using MAC addresses collected via phones in the driver’s pocket or handbag, or use license plate readers to track movement. Google’s infamous street-mapping vehicles collect this information during their collection of visual data, allowing surrounding captured MAC addresses to help pinpoint exact locations. There are no laws in the US currently in place that prevent law enforcement from collecting this data - either collecting it themselves, accessing databases with collected images of traffic or monitored MAC addresses, purchasing it from a data broker that has the data, or all three.

The government also uses tech like SDR including handheld and drone-mounted versions, and will track and monitor phones using what is know as a Stingray. Usage of Stingrays is commonly thought to be used by the federal agencies, but even some state and local police forces use Stingrays.

Basic Mitigation

I want to cover a few basics right up front. Always run the latest version, and always apply patches and updates. This is paramount as there are fixes that go into new software all the time, so to keep things as secure as possible, always patch.

Also note that every new operating system version update could include new features which might require new privacy settings to adjust. Keep this in mind for every version update to operating systems like MacOS, Windows, Linux, iOS, and Android. If you asked me what operating system you should run, I’d recommend Linux, but then again I’m probably more familiar with that one than the others - which is an important point. If you’re fairly proficient with Windows and other operating systems seem foreign, perhaps you should stick with Windows as you know your way around it better. Regardless, check settings constantly. I do have a somewhat outdated blog post and video that cover Windows, and those settings should give you some idea of what to expect when it comes to that.

Whenever you create an account on any website, see if you can enable Two-Factor Authentication, usually shortened to 2FA or MFA (for Multi-Factor Authentication). If you have a choice between text messages (SMS) and one of those authenticator apps that generate a six-digit code (aka TOTP or Time-based One Time Password), pick the latter. Even better, if you can use a hardware device like a Yubikey (for U2F), this is the ultimate choice. This will help protect online accounts. And remember, use a password manager and generate a complex and unique password for every login that you use.

If you do any research into 2FA, you will see people saying SMS is insecure. It’s true that SMS is the least secure of the 2FA choices, but keep in mind that it is way better than no 2FA, so take it if it’s your only choice.

Better OPSEC

We can’t always eliminate our digital footprint, as tech in our society is everywhere. But offering up alternate footprints or eliminating tracing actions back to you can help. OPSEC, or Operational Security, is (in our context) being able to manage the risk by minimizing our exposure. There are a few ways to do this.

• Check out my blog post on avoiding physical surveillance. It is more general in nature, but should give you some pointers.

• Get a burner phone. Getting one not traceable to you personally requires some discipline, and I’ve covered the necessary steps (along with a few other items) in a blog post.

• If you want to purchase something anonymously, such as pregnancy tests or condoms, read the afore-mentioned burner phone blog post and use same method that was used to purchase the burner.

• In that same burner phone blog post I also mention using a personal VPN. The ProtonMail people now have ProtonVPN, there’s Mullvad, ExpressVPN, and NordVPN as well. Use it on your laptop as well as any phones, including the burner itself. Definitely use it when on someone else’s WiFi, or if you are visiting web locations you don’t want traced back to you by an outsider.

• When out and about on your anonymous excursions, remember to dress drab, and wear your mask (especially now while the pandemic gives you the perfect excuse). You won’t stand out and you’ll thwart facial recognition systems.

I casually mentioned in the burner phone blog post ordering a Lyft “anonymously”. It is very similar to how one would order their burner phone - you are in essence creating a separate identity.

• Purchase your burner phone (if you don’t have one) and a faraday bag via Amazon as outlined in the burner phone blog post. The burner should be in the faraday bag at all times while it is at your home, and should have a personal VPN installed and configured.

• Leave your regular phone at home (it will show via cell tower pings it is at your home) and with your burner in the faraday bag, go to one of those cheap cellular stores that sells very cheap SIMs for a small set of talk minutes and text data. Buy at least one, and pay cash. Dress drab and wear a mask while you are there.

• Go to a neutral location, walk a block or so to someplace with free WiFi, then remove the burner from the faraday bag and turn on the personal VPN. Set up the SIM in the burner.

• Similar to how you set up an Amazon account in the burner phone blog post, set up a Lyft account using your new phone number while still connected to free WiFi.

• Order a Lyft and go to your destination, and do what you need to do. Stay masked up the entire time.

• After the visit, Lyft back to where you were picked up. Put the burner in the faraday bag, walk back to your car, and drive home.

Conclusion

I hope some of this information has been helpful. Due to the nature of the blog post in the current climate, you might refrain from contacting me for direct help, as I know I am already on various “lists” and whatnot. Nonetheless, if you have a question, comment, or recommendation feel free to (safely) contact me via thegnome at nmrc.org, and I can update the blog post as need be.